Re: DSA-1615-1 vs. tracker

To: debian-security-tracker@lists.debian.org
Subject: Re: DSA-1615-1 vs. tracker
From: Gerfried Fuchs <rhonda@deb.at>
Date: Tue, 9 Sep 2008 16:57:24 +0200
Message-id: <[🔎] 20080909145724.GA23080@asteria.debian.or.at>
Mail-followup-to: debian-security-tracker@lists.debian.org
In-reply-to: <[🔎] 87hc8psmoh.fsf@mid.deneb.enyo.de>
References: <200807261934.29514.thijs@debian.org> <20080726202516.c0b546d5.frx@firenze.linux.it> <20080728194542.4be0562c.frx@firenze.linux.it> <20080728191531.GA3774@galadriel.inutil.org> <20080815153832.25939ec9.frx@firenze.linux.it> <[🔎] 20080907101832.c28c7a9f.frx@firenze.linux.it> <[🔎] 20080908113148.GA26762@asteria.debian.or.at> <[🔎] 7ec91e803b8ecd0e29d03cc80368a8c3.squirrel@wm.kinkhorst.nl> <[🔎] 20080908115225.GA4399@asteria.debian.or.at> <[🔎] 87hc8psmoh.fsf@mid.deneb.enyo.de>

* Florian Weimer <fw@deneb.enyo.de> [2008-09-09 11:17:34 CEST]:
> * Gerfried Fuchs:
> >  I guess as I haven't received any feedback about my patch to the
> > Makefile it is fine to commit that? I will try to dig into how to
> > produce outstanding issue pages for volatile and backports next then.
> 
> I think we also need to implement some form of version name mutilation
> because the ~bpo string needs to be dropped for comparison purposes.

 ... or rather the meaning in the comparison for ~bpo (and ~volatile) be
changed to bigger-than-only-null-string - which might get tricky indeed.
Another approach would be parsing the changelogs (which would mean
having to extract them) and look for the changelog entry version that
are meant to fix the problem.

 Both approaches have their benefits (the latter e.g. for making sure a
maintainer doesn't upload a new version based on their own old upload
instead of the security one, losing the security fix) but indeed have
major drawbacks in the sense that it needs quite some code to get them
implemented.

 Just some thoughts,
Rhonda

Reply to:

References:
- Re: DSA-1615-1 vs. tracker
  - From: Francesco Poli <frx@firenze.linux.it>
- Re: DSA-1615-1 vs. tracker
  - From: Gerfried Fuchs <rhonda@deb.at>
- Re: DSA-1615-1 vs. tracker
  - From: "Thijs Kinkhorst" <thijs@debian.org>
- Re: DSA-1615-1 vs. tracker
  - From: Gerfried Fuchs <rhonda@deb.at>
- Re: DSA-1615-1 vs. tracker
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: DSA-1615-1 vs. tracker
Next by Date: Re: [Secure-testing-commits] r9775 - data/CVE
Previous by thread: Re: DSA-1615-1 vs. tracker
Next by thread: Re: DSA-1615-1 vs. tracker
Index(es):
- Date
- Thread